---
title: Self-signed TLS
---

import { Steps, Callout } from 'nextra-theme-docs'


# Guide: Issue Self-signed TLS Certificates for Enhanced Security

## Issue a Self-signed CA Certificate

To issue a self-signed CA certificate on Ubuntu, you can follow these steps:

<Steps>

### 1. Generate a private key for the CA:

```bash
openssl genrsa -des3 -out ca.key 4096
```

This command will create a new 4096-bit RSA key pair with 3DES encryption for the private key. You will be prompted to enter a passphrase to protect the key.

### 2. Generate a self-signed certificate for the CA:

```bash
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
```

This command will generate a self-signed X.509 certificate valid for 10 years using the private key generated in step 1. You will be prompted to enter some information about the CA, such as the common name and organization.

### 3. Copy the CA certificate and key to the appropriate locations:

```bash
sudo cp ca.crt /usr/local/share/ca-certificates/
sudo cp ca.key /usr/local/share/ca-certificates/private/
```

This command will copy the CA certificate to the system-wide trusted certificate store and the private key to a secure location only accessible by the root user.

### 4. Update the system's trusted certificate store:

```bash
sudo update-ca-certificates
```

This command will update the system's trusted certificate store with the newly installed CA certificate.
</Steps>

Your self-signed CA cerficate is now ready to be used to issue and sign other certificates for your own purposes.

## Issue certificates

To issue a .cer and .key file from the self-signed CA, you can follow these steps:

<Steps>

### 1. Generate a private key for the server:

```bash
openssl genrsa -out server.key 2048
```

This command will generate a new 2048-bit RSA key pair for the server.

### 2. Create a Certificate Signing Request (CSR) for the server:

```bash
openssl req -new -key server.key -out server.csr
```

This command will create a CSR for the server using the private key generated in step 1. You will be prompted to enter some information about the server, such as the common name and organization.

### 3. Sign the CSR with the self-signed CA:

```bash
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
```

This command will sign the CSR with the self-signed CA certificate and generate a new server certificate valid for 1 year. The `-CA` option specifies the path to the CA certificate, `-CAkey` specifies the path to the CA private key, and `-CAcreateserial` creates a unique serial number for the new server certificate.

### 4. Convert the server certificate and key to .cer and .key files:

```bash
openssl x509 -inform PEM -in server.crt -outform DER -out server.cer
openssl rsa -inform PEM -in server.key -outform DER -out server.key
```

These commands will convert the server certificate and key from PEM format to DER format and save them as .cer and .key files, respectively.
</Steps>

You now have a server certificate `server.cer` and key `server.key` issued and signed by your self-signed CA.